Skip to content

Instantly share code, notes, and snippets.

@chrisan

chrisan/indicies Secret

Created May 12, 2018 14:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chrisan/1c5ce5beacfc0e124d39fa842f051857 to your computer and use it in GitHub Desktop.
Save chrisan/1c5ce5beacfc0e124d39fa842f051857 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
indicies
GET /_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open logstash-2018.02.03 CagddD3xTrKLsGGZ586mZQ 5 1 56627 0 15.4mb 15.4mb
yellow open logstash-2018.04.13 Sg9NvyL5SJacHhAvYAtg2w 5 1 147773 0 49.6mb 49.6mb
yellow open logstash-2018.03.03 FZBQ5O0dRiCLVVQS8E6Ugw 5 1 161512 0 32.1mb 32.1mb
yellow open logstash-2018.01.18 5n7AldZlQ4usrbgwDMxTag 5 1 96455 0 31.8mb 31.8mb
yellow open logstash-2018.01.11 D8eDEOGFTK-F6C5PN_s52Q 5 1 51229 0 14.9mb 14.9mb
Raw
logstash-api.conf
input {
s3 {
bucket => "cloudfront-logs"
delete => false
interval => 60 # seconds
prefix => "api/"
region => "us-east-1"
type => "api_logs"
codec => "plain"
sincedb_path => "/var/lib/logstash/api.sincedb"
}
}
filter {
if [type] == "api_logs" {
if ( ("#Version: 1.0" in [message]) or ("#Fields: date" in [message])) {
drop {}
}
grok {
match => {
"message" => "(?<timestamp>%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}\t%{TIME:time})\t%{WORD:x_edge_location}\t(?:%{NUMBER:sc_bytes:int}|-)\t%{IPORHOST:clientip}\t%{WORD:cs_method}\t%{HOSTNAME:cs_host}\t(?<cs_uri_stem>(/v1/rest/%{USERNAME:company})?%{GREEDYDATA})\t%{NUMBER:sc_status:int}\t%{GREEDYDATA:referrer}\t%{GREEDYDATA:agent}\t%{GREEDYDATA:cs_uri_query}\t%{GREEDYDATA:cookies}\t%{WORD:x_edge_result_type}\t%{NOTSPACE:x_edge_request_id}\t%{HOSTNAME:x_host_header}\t%{URIPROTO:cs_protocol}\t%{INT:cs_bytes:int}\t%{GREEDYDATA:time_taken:float}\t%{GREEDYDATA:x_forwarded_for}\t%{GREEDYDATA:ssl_protocol}\t%{GREEDYDATA:ssl_cipher}\t%{GREEDYDATA:x_edge_response_result_type}"
}
}
mutate {
add_field => [ "listener_timestamp", "%{year}-%{month}-%{day} %{time}" ]
}
date {
match => [ "listener_timestamp", "yy-MM-dd HH:mm:ss" ]
target => "@timestamp"
}
geoip {
source => "c_ip"
}
useragent {
source => "User_Agent"
target => "useragent"
}
mutate {
remove_field => ["year","month", "day", "time", "listener_timestamp", "timestamp","cloudfront_version", "message", "cloudfront_fields", "User_Agent", "cookies", "x_edge_request_id", "x_edge_location", "@version", "x_forwarded_for", "ssl_protocol", "ssl_cipher", "x_edge_response_result_type"]
}
}
}
output {
if [type] == "api_logs" {
elasticsearch {
hosts => [ "localhost:9200" ]
document_type => "api_logs"
}
}
}
Raw
mappings
GET /*/_mapping/
{
...,
"logstash-2018.03.31": {
"mappings": {
"cdn_api_logs": {
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"norms": false,
"type": "text"
}
}
},
{
"string_fields": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"norms": false,
"type": "text"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"agent": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"clientip": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"cs_bytes": {
"type": "long"
},
"cs_host": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"cs_method": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"cs_protocol": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"cs_uri_query": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"cs_uri_stem": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"geoip": {
"dynamic": "true",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"company": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"referrer": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"sc_bytes": {
"type": "long"
},
"sc_status": {
"type": "long"
},
"tags": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"time_taken": {
"type": "float"
},
"type": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"x_edge_result_type": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"x_host_header": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"_default_": {
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"norms": false,
"type": "text"
}
}
},
{
"string_fields": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"norms": false,
"type": "text"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"geoip": {
"dynamic": "true",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
}
}
}
}
},
...
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment